28 March, 2023
Software security is now a number one risk worldwide. It is literally on the US president’s agenda who has recently announced the national cybersecurity strategy. Data breaches are regular events. Even the most security-aware firms out there are struggling to tackle the application security (AppSec) challenge. Let alone the scale-ups with a limited expertise in the domain of software security do not even stand the chance. Yet software security is not a rocket science. It is a well-defined problem with an overwhelming amount of resources easy to tap into. The perennial question that lingers though is how much should I spend on software security. In this blog I look into the cost of introducing application security at a scale-up.
Why software companies struggle with software security?
It is ironic that many of the data breaches in retrospect could have been (easily) prevented by leveraging the body of knowledge within the OWASP community and projects. One of the factors in the current realities is that security always gets limited budget, hence limited attention. That is all but a surprise. Security is rarely used as an essential added value to the software product. Companies consider software security a pain rather than an opportunity. Factors, such as reputation damage as well as regulatory pressures provide a clear motivation to become at least as good as your peers. However, the main contributing factor to the software security realities is the inefficient security budget spending.
The OWASP community provides lots of resources, best practices and tools to help any company build an effective AppSec programme. However all of that is overwhelming, especially from a scale-up perspective. There is a lot of noise in terms of the most efficient security practices and it is unclear where to start. Adding security tooling is the obvious low hanging fruit, but does not always bring the best return on investment. In fact, it might even be counterproductive and overwhelm the security teams literally with noise.
What is a good starting point to introduce software security to my firm?
Based on my 15+ years of academic and industry experience in software security as well as managing an AppSec programme for both small and large companies I can draw the following conclusions when it comes to the roadmap and the cost of software security:
- Start with OWASP SAMM. SAMM is a full-blown AppSec management program and it is the table of contents for nearly the complete body of knowledge within the OWASP community.
- Educate everyone as the tool with a fool is still a tool (this is not a typo).
- Introduce a mandatory general software security training track for everyone in your team. This training should at least include a training on OWASP Top 10, security design principles, web application security fundamentals. For a full list I refer to one of my earlier blogs.
- Ideally everyone, but at least your test engineering team member(s) should get an additional training on OWASP Application Security Verification Standard and the Mobile Application Security Verification Standard.
- Finally, do select security champion(s) and teach subscribe them for a certified pen tester course track.
- Threat model to explicitly focus on risk, rather then the useless CVSS impact scores. Your full team should learn how to threat model and threat modeling should be a pragmatic activity done as a group at least once a month.
- Focus on effective security testing. In addition to functional tests your QA teams should create a set of security requirements tests that you run as a regression. Your security champions should run periodic pen tests by focusing on risk, rather than spitting out a 100 page PDF report.
How much does a decent software security programme cost to my company?
The short answer is roughly 12% of your yearly manpower time for year 1. After that probably less, but once you get the taste of being a champion you are likely to want to keep it up. I cannot provide a quantitative measurement for your return on investment. Qualitatively though, you will have taught your team “to fish, instead of bringing them the fish”.
Here are the rough estimates for a technical team of 6 engineers. Let’s call one of these engineers to be your AppSec senior manager / security champion, one of them would be a purple team member in charge of pen testing and one of them would be in charge of testing and verification.
|Type of work||Description||Total person-days per year|
|Management||Your AppSec manager will need about half a day per week for managing SAMM||22|
|Your engineering team will need about 80 hours to watch the basic security curriculum trainings||60|
|Your full team should take an in-depth 2-day Threat Modeling training||12|
|Your testing engineer(s) would need about a week to familiarize themselves with OWASP ASVS||5|
|Your purple team member(s) would roughly need 2 person-months to get a decent pen testing training||40|
|Lets assume your full team will participate in a monthly 2-hour threat modeling session for at least one of your software products||18|
|Pen testing by your purple team that takes roughly a week and let’s run that twice a year||10|
|Decent ASVS-based regression tests by your test engineer(s) should take about 20 days||20|
|Total person-days for a 6-member team:||187|
For a team of 6 that comes down to roughly 12% of your team’s total workforce time.
While my calculations reflect only on technical team members it is essential to include everyone else in the AppSec education and training programme. That would dilute the numbers presented here and lower your total security budget requirements.
What about SBOM and other DevSecOps tools?
In a mature AppSec programme tools are absolutely critical to improve productivity. Unfortunately throwing the tools at the application security problem is not going to magically solve it. It might even make the situation worse if you don’t have an Application Security programme in place. I strongly believe that once your AppSec programme is up-and-running adding all of these tools is a matter of hours to plug them in and make them work for you.